April 16, 2000
FYI - One of our readers sent me an article entitled "How to Hack a Bank," which can be found in the April 3, 2000, edition of Forbes. If you do not have the magazine, you will find the article at
INTERNET SECURITY - Factors to Consider in Evaluating Intrusion Detection Systems (IDS)
Once it is determined that an IDS is necessary to detect possible security breaches, several factors should be considered in evaluating IDSs, including:
(1) The comprehensiveness of the attack signature database, including the frequency of updates that incorporate newly identified concerns. Most products rely on vendor updates, so banks need to assess the timeliness of the IDS vendor's updates. Products can be updated through Internet downloads, CD-ROM or floppy disk updates, or even manually if the user has a sufficient degree of technical knowledge.
(2) The effectiveness of the IDS in protecting an institution from both internal and external threats to a computer system. The IDS should limit the number of false positives (incorrectly identifying an attack when none has occurred) and false negatives (not identifying an attack when one has occurred).
(3) The impact on performance of the network and/or host(s). Generally, IDSs work on a real-time basis. Real-time analysis provides quicker notification of potential intrusions; however, it can reduce system performance due to the additional memory and processing requirements. Non-real-time analysis generally consumes fewer resources, but has the disadvantage that the potential intrusion has already occurred. Knowledgeable intruders, moreover, can manipulate audit trails, making the after-the-fact analysis useless in detecting these particular intruders.
(4) The security of the IDS itself and how secure the update process is, especially if updated remotely.
The reporting and automated response capabilities. IDSs will sometimes generate more information than can be reviewed by present qualified staff. Also, for privacy reasons, management should consider informing all affected system users about the scope and type of monitoring being conducted.
Other things to consider include training and support from the vendor, cost of hardware, software, and maintenance agreements, integration with vulnerability assessment tools, and configuration capabilities.
INTERNET COMPLIANCE - Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its
on-line program the ability for consumers to give the financial institution a
non-electronic address to which the disclosures can be mailed.
In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery.
Furthermore, financial institutions advertising or selling non-deposit investment products through
on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with nondeposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."
On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the nondeposit investment product or its lack of FDIC insurance.
IN CLOSING - In observance of the Easter weekend, we will not publish a newsletter. We hope you have a great weekend with family and friends.